Open source security - angels fear to tread?

Simon Philipps from Computerworld has a short post on why open source is good for security. He highlights two old security vulnerabilities, one that was fixed as soon as it was discovered by the open source community. The second in a closed code remained outstanding since 2002 until the community got involved to fix it. It makes sense, security through obscurity is a fallacy, many hands makes light work and plenty of other cliché's. Why would you not use as much open source software as possible? Management likes the price and now you're saying it's more secure? I'll take two!

Don't get me wrong, I'm not disagreeing with Simon. The benefits of millions of people examining code and providing fixes quickly, avoiding re-inventing the wheel makes sense. I just want you to keep a few things in mind before you jump in with both feet, especially in large corporations with legacy IT:

Support
It is fine to rely on the community for fixes and often it can be faster than waiting for corporate release cycles. But similarly if your system is down at 3am, the open source community does not have an SLA, there are no contractual requirements and penalties to provide incentives for writing quality fixes and regression testing them thoroughly. The open source community has no 24x7 phone number to call in an emergency. If that ace developer who loved OSS, spoke at the conferences and contributed back to the community leaves what's your plan? If open source is used in critical systems with no commercial support you are just asking for trouble. But the good news is that commercial support is often available and often a lot cheaper than for closed systems. You just can't treat open source as completely free.

Intellectual property
Open source software can be released under a number of different licences. Some are low risk such as the open BSD licence which as no restrictions. However the EFF and many others in the open source community will argue that open source should not be for profit corporations. Corporations have money; hackers, hobbyists, enthusiasts have time and the community. Corporations should not be able to take something that the community has developed, use it for free and give nothing back. Thus there are licences such as the GPL and the Affero GPL (AGPL). These have some specific restrictions that are intended to promote the open source spirit and contribution back to the community (all worthy goals). They are designed to ensure that if you benefit from open source software then any of your derivative works should be open source as well. This is what can get big corporations into trouble.

The EFF has won court cases recently against Westinghouse ($90,000 damages), BvHD and settled many more cases against software companies for breech of the GPL. For most companies it is not the potential financial damage but the brand damage a court case brings that they will want to avoid at all costs. The problems arise when you use open source in a proprietary program (even just a library or link) and then want to distribute, licence or even with Affero make the combined software available over a network. If you do this a condition of the GPL is that you could be forced to make your proprietary code available to anyone that wants it. At a previous company we went through painful exercise to examine thousands of lines of code and strip out open source when the business wanted to licence some software to clients which had originally been written for internal use only.

Again I am not saying don't use open source because of this reason, just be aware of where and how you are using it. Understand what a "link" and "distribution" means in legal speak and that the use of open source software including its licence is clearly documented and registered centrally with your legal department. Because even if there is no risk now, you never know what your little app today will morph to into in 10 years time and what your company will want to do with it.

Risk
I said above the security through obscurity argument was self evidient and it is especially for public facing web applications. For these it is arguable that even without access to the source code, attackers will be able to find vulnerabilities. Using open source means you avoid common mistakes, be faster to market, ensure the code has a lot more scrutiny and where bugs are found they can be fixed quickly. However even the OWASP risk rating methodology has ease of detection and ease of exploit as vulnerability factors which increase the overall risk. Companies have lots of mainframe code that I'm sure has plenty of security vulnerabilities, but when you calculate the risk score it has to be lower than a cross site scripting vulnerability existing in the latest open source CMS you just downloaded. Now you can take the view that this a dagger hanging over your head, its only a matter of time before someone finds it and exploits it. An alternate view is that with limited resources, building defence in depth security controls and keeping the source code confidential is a legitimate risk mitigation strategy.

In addition, you only get the benefits of quick fixes for open source if you have a robust change control process, release window and support from the business to test and install updates when they are released. For example it can be difficult to justify any downtime, the business benefit and resources required to test an update to a small telnet function on the 50 Solaris servers running your mission critical 24x7 order processing platform. Also, if open source software is buried deep in a software stack, no one even knows that some developer downloaded that library to fix a problem 5 years ago and it never updated... well all this benefit is gone. Now what you have is an exploit that is easy to discover because it is on the Internet and easy to exploit because someone has written a metasploit plugin for it. Hell even some random piece of malware may even use it again access to your system.

Now I'm not saying that closed source is more secure or that you should practice security through obscurity, but one of our security objectives is Confidentiality for the specific reason that keeping things secret has a point. Using open source because vulnerabilities are found and fixed quickly is a legitimate strategy but so is having some proprietary code with layered defences if it is providing business value and within your risk appetite.

Conclusion
The benefits of open source outweighs it's costs in the majority of circumstances. I am especially a big fan of re-using widely reviewed, highly stress tested, community developed security functions through libraries such as the EASPI. I'm just saying don't let management pressure you to blindly use open source, do think about and get some advice from your legal and operations guys on the potential risk and implications and make a considered decision on whether open source is right for your company in the way you are proposing to use it.